How to exploit my PHP code with SQL Injection

Question

I am working on a project where we have to write a login page with PHP and then exploit it using SQL injection, before fixing the vulnerability. So far I've written the login page, which connects to a database and does a lookup to see if a user exists, if they do then they can log in.

However no matter what I've tried I can't seem to be able to exploit to print out other users, bypass passwords, etc. and I'm not sure why (new to PHP). I haven't done any input sanitizing.

HTML input form:

<form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<p><font face = "Arial" size="4" color="#6b8e23">Login Menu</font></p>
<input type="text" name="username" placeholder="Username" />
<div><input type="password" name="password" placeholder="password" /></div>
<input type="submit" name="Login" value="Login"></input>

<?php
// connect to database
$host = "localhost";
$username = 'root';
$password = '';
$dbname = "accounts";
$con = mysqli_connect($host, $username, $password, $dbname);

//check to ensure connection exists !DEBUG!
if (!$con) {
    die("Connection Failed: " . mysqli_connect_error());
    ?>
    <p><font face = "Arial" size="4" color="#ff4500">No Connection</font></p>
    <?php
} else {
    ?>
    <p><font face = "Arial" size="4" color="#ff4500">Connection established with sql server </font></p>
<?php
}

//if the form has been submitted
if (isset($_POST['Login']))
{
    //user login details
    $user = $_POST['username'];
    $pass = $_POST['password'];

    if($user != "" && $pass != "")
    {
        $sql_query = "SELECT count(*) as cntUser FROM users where usernames='".$user."' AND passwords='".$pass."'";

        $result = mysqli_query($con, $sql_query);
        $row = mysqli_fetch_array($result);
        $count = $row['cntUser'];

        if($count > 0)
        {
            $_SESSION['username'] = $user;
            ?>
            <p><font face = "Arial" size="4" color="#ff4500">User Found</font></p>
            <?php
        } else {
            ?>
            <p><font face = "Arial" size="4" color="#ff4500">No User by that name</font></p>
            <?php
        }
    }
}
?>

Thanks for reading over this, been stuck at it for a while now and I just can't figure it out!

Not really sure if this is the correct place to ask about this stuff. It's not really a coding issue per say. To point you in the right direction, understand that anything you send as `$_POST['username']` will be part of the query. If `$_POST['username']` is `lol' or 1=1; --` your `$sql_query` becomes `SELECT count(*) as cntUser FROM users where usernames='lol' or 1=1; -- AND passwords= '` (in MySQL anything after `--` is a comment). I guess what I'm saying is, learn some sql before attempting this? — IsThisJavascript, Apr 03 '18 at 10:06
Yeah I wasn't sure myself, I was wondering if it was a coding issue though so I thought i'd try on here. The or 1=1; -- was the first thing I tried but if the script is able to find someone it should print out the User Found message - but when I use any kind of sql statement I dont receive that message, which appears that the injection isnt working — Connor J, Apr 03 '18 at 10:15
`which appears that the injection isnt working` Try not to be this naive ever again lol. It's possible that on your server you have `--` disabled as a comment which means you have a bit more work in crafting an injectable SQL payload. The only thing that will ever prevent an injection attack is by using `prepare` — IsThisJavascript, Apr 03 '18 at 10:19
@IsThisJavascript, can you give an example of how one would disable `--` syntax for comments? I'm not aware that this is configurable, and there is no mention of disabling comment syntax in the doc: https://dev.mysql.com/doc/refman/5.7/en/comments.html — Bill Karwin, Apr 03 '18 at 13:58
@BillKarwin Sorry yes you're right. I was thinking of an old answer I remember but got mixed up slightly; I thought `NO_BACKSLASH_ESCAPES` toggle was with `--` until I re-read it **facepalm**. I wonder why the OP couldn't get a login with using `--` in the `$_POST['username']` though. It was quite the honor to get a tag from you however :X — IsThisJavascript, Apr 03 '18 at 14:07

score 3 · Accepted Answer · answered Apr 03 '18 at 10:36

It's all about handling the values of login and password. As long as they are not escaped malicious user can send values with single quote sign. In result the following characters will be interpreted as part of SQL query. I suggest printing the complete SQL query that is built in your script.

For example entering

' OR TRUE OR passwords='

as password will make it log in without knowing what the password is as the query will become:

SELECT count(*) as cntUser FROM users where usernames='root' AND passwords='' OR TRUE OR passwords=''

How to exploit my PHP code with SQL Injection

1 Answers1